Seeing that most of us have used online banking at some point, the heartbleed bug should garner your attention as every bank in Canada as well as elsewhere uses SSL validation to encrypt your data between their servers and your browser. Here in Canada, the Canadian Bankers Association put out a statement that said this:
The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence.
Banks have sophisticated security systems in place to protect customers’ personal and financial information, including encryption and other measures.
As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers.
As always, bank customers should take the usual steps to protect themselves from fraud. This includes monitoring bank and credit card statements looking for any unusual activity, protecting PINs and passwords and changing PINs and passwords periodically.
So, is this true or not? That’s the question. To find out, I used one of the heartbleed checkers, specifically the one provided by the makers of the password management software Lastpass, on the login pages of the five major banks in Canada. That would be TD Canada Trust, CIBC, RBC, BMO, and Scotiabank. Here’s what I found.
First up, BMO. Click the picture to enlarge it:
Hmmm…. that doesn’t inspire confidence. Let’s try CIBC:
That doesn’t inspire confidence either. Next in line is RBC:
This is starting to get concerning. Then there’s Scotiabank:
Well, that’s the best of the bunch so far. But it isn’t clear which side of the fence they are on. Last up is TD Canada Trust:
It’s not clear which side of the fence these guys are on either.
Now to make sure that I wasn’t hitting a server (as these banks likely have a cluster of web servers that work together to serve customers) that had not been patched yet, I tried each site 10 times and got the same result each time. Thus this implies to me that maybe the banks aren’t as secure from heartbleed as they say they are, or they have things behind the scenes that make this less of an issue. Even if the latter is true, one would think that they would take care any heartbleed related issues so that if some like me, or more importantly your average consumer checks their bank using a heartbleed checker to get some piece of mind, it would pass. With the results that I got from this test, I can’t say that I have the warm fuzzies despite what the Canadian Bankers Association are saying to Canadians. Perhaps the Canadian Bankers Association would like to explain this in as transparent manner as possible so that I can post that reply for everyone to see? I am sure Canadians would like to know what they have to say about this.
And for anyone out there who wonders if the secure websites that they use are safe, please use a heartbleed checker to find out. If if doesn’t pass, ask the site why and what their plans are to remedy that. They owe it you as a customer to answer that question.
Like this:
Like Loading...
Related
This entry was posted on April 15, 2014 at 7:30 am and is filed under Commentary with tags Canada, Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Canadian Banks Say They’re Safe From Heartbleed…. But Is That True?
Seeing that most of us have used online banking at some point, the heartbleed bug should garner your attention as every bank in Canada as well as elsewhere uses SSL validation to encrypt your data between their servers and your browser. Here in Canada, the Canadian Bankers Association put out a statement that said this:
The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence.
Banks have sophisticated security systems in place to protect customers’ personal and financial information, including encryption and other measures.
As part of a normal course of business, the banks actively monitor their networks and continuously conduct routine maintenance to help ensure that online threats do not harm their servers or disrupt service to customers.
As always, bank customers should take the usual steps to protect themselves from fraud. This includes monitoring bank and credit card statements looking for any unusual activity, protecting PINs and passwords and changing PINs and passwords periodically.
So, is this true or not? That’s the question. To find out, I used one of the heartbleed checkers, specifically the one provided by the makers of the password management software Lastpass, on the login pages of the five major banks in Canada. That would be TD Canada Trust, CIBC, RBC, BMO, and Scotiabank. Here’s what I found.
First up, BMO. Click the picture to enlarge it:
Hmmm…. that doesn’t inspire confidence. Let’s try CIBC:
That doesn’t inspire confidence either. Next in line is RBC:
This is starting to get concerning. Then there’s Scotiabank:
Well, that’s the best of the bunch so far. But it isn’t clear which side of the fence they are on. Last up is TD Canada Trust:
It’s not clear which side of the fence these guys are on either.
Now to make sure that I wasn’t hitting a server (as these banks likely have a cluster of web servers that work together to serve customers) that had not been patched yet, I tried each site 10 times and got the same result each time. Thus this implies to me that maybe the banks aren’t as secure from heartbleed as they say they are, or they have things behind the scenes that make this less of an issue. Even if the latter is true, one would think that they would take care any heartbleed related issues so that if some like me, or more importantly your average consumer checks their bank using a heartbleed checker to get some piece of mind, it would pass. With the results that I got from this test, I can’t say that I have the warm fuzzies despite what the Canadian Bankers Association are saying to Canadians. Perhaps the Canadian Bankers Association would like to explain this in as transparent manner as possible so that I can post that reply for everyone to see? I am sure Canadians would like to know what they have to say about this.
And for anyone out there who wonders if the secure websites that they use are safe, please use a heartbleed checker to find out. If if doesn’t pass, ask the site why and what their plans are to remedy that. They owe it you as a customer to answer that question.
Share this:
Like this:
Related
This entry was posted on April 15, 2014 at 7:30 am and is filed under Commentary with tags Canada, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.